You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by "Francesco Chicchiriccò (JIRA)" <ji...@apache.org> on 2017/05/25 15:18:04 UTC
[jira] [Assigned] (SYNCOPE-1067) More flexible delegated
administration model
[ https://issues.apache.org/jira/browse/SYNCOPE-1067?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Francesco Chicchiriccò reassigned SYNCOPE-1067:
-----------------------------------------------
Assignee: Francesco Chicchiriccò
> More flexible delegated administration model
> --------------------------------------------
>
> Key: SYNCOPE-1067
> URL: https://issues.apache.org/jira/browse/SYNCOPE-1067
> Project: Syncope
> Issue Type: Improvement
> Components: console, core
> Reporter: Francesco Chicchiriccò
> Assignee: Francesco Chicchiriccò
> Fix For: 2.0.4, 2.1.0
>
>
> The current implementation of [delegated administration|https://syncope.apache.org/docs/reference-guide.html#delegated-administration] relies on Roles, where each Role associates a set of Entitlements (e.g. administrative actions) to a set of Realms (e.g. containers for Users / Groups / Any Objects).
> This requires, however, that the set of Users / Groups / Any Objects to administer is somehow statically defined by containment: "administrators with role R can manage users under realms /a and /b" works as long as users to administer are fully contained by the Realms /a and /b; but what if the set of Users that R can administer needs to be dynamically defined, say by the value of a 'department' attribute?
> Two approaches can be taken here:
> # extend the Role concept to map Entitlements to Realms and / or Groups
> # introduce the new concept of Virtual Realm, e.g. containers that are defined by a dynamic conditions (as currently happening for Groups and Roles), and make Roles to map Entitlements to Realms / Virtual Realms
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)